Researchers with IBM's ISS group say that cyber-criminals are using malware personalization schemes that allow for maximum exposure and more consistent payoff.

By Matt Hines

InfoWorld|Mar 27, 2007

Malware purveyors are increasingly tailoring their virus distribution and attack techniques to take advantage of different classes of end-users, according to researchers with the Internet Security Systems' X-Force team at IBM.

Top experts with the Atlanta-based research operation said that malware writers, phishing scheme operators, and botnet herders are more frequently employing so-called personalization tools to make their attacks more effective.

Much like the online marketing companies that gather bits of information to target advertising at individual Web users, cyber-criminals are creating malware outlets and code executions that scan readily-available details about people's' computing posture to find appropriate recipients for their work.

The approach uses any information that is found to isolate the right attack to deliver based on factors like the particular Web browser or operating system that an individual who being targeted is using.

By combining the more intelligent threat delivery approach with hard-to-detect Trojan, botnet, and cross-site scripting attacks, cutting-edge criminals are finding plenty of ways to take advantage of end users, said Gunter Ollman, director of security strategy for IBM ISS.

"With every Web page request, people send out a header that describes their browser and also tells you what language the request is being made in and sometimes even the cache level of the host it is running on; there's a lot of information in there, including the IP address of the person making the request," Ollman said.

According to X-Force's 2006 annual report on security trends, 30 percent of malicious Web sites were already using personalization techniques by the end of last year. The company said it is expecting that number to grow rapidly in 2007.

"By combining the IP address and all the host details in the browser, we're seeing that attackers build sites that ensure they only use exploits that will work against a specific host," the expert said.

In addition to determining which version of browser or OS software someone is using, many of the attacks can assess what level of security patch a particular program has in place, according to the researcher.

Cyber-criminals are also loading malware-infected Web pages with numerous code execution threats to assault many different aspects of varied sets of users with dozens of pieces of code being served up on a single URL.

Many of the threats are hidden in individual elements of Web pages, including flash files, pdfs and images, which may each contain multiple attacks meant to take advantage of different vulnerabilities.

Ollman said that ISS has also observed that these more advanced malware efforts are also collecting IP address information from end users to ensure that they don't repeatedly send the same threats to their computers. The smartest groups are also trading information about IP addresses known to be used by security researchers to keep their latest work from being discovered.

"If you browse that type of malware site, it will serve exploit code, but only try it once; they know that people might start to get suspicious if the same part of a site crashes twice or acts abnormally," said Ollman. "These attackers don't want people to get copies of their new code or to know what sites they have hosting the content; they know that sites get closed down or added to black lists very quickly these days if they're not careful."

Ollman said that most of the exploits do not deliver spyware, but instead pass along smaller files known as droppers that are less likely to be identified by anti-virus systems that sit quietly but then call out across the Internet and draw-in real malware programs.

Many of the eventual spyware programs that are downloaded are even stealthy, the researcher said. The attacks frequently wait until a user opens a specific site or application before springing to life and beginning to intercept users' details, according to ISS's research.